Use Multi-Factor Authentication with JumpCloud to secure user access to your organization’s resources. This guide shows you how to set up TOTP Multi-factor authentication (MFA) for JumpCloud users. TOTP MFA can be used to authenticate to the User Portal and other JumpCloud-managed resources like devices. See Configure MFA for Your Org before you begin.
Watch how to set up JumpCloud TOTP MFA for user accounts and the Admin Portal in Tutorial: TOTP MFA for Users and Admins.
To learn how to set up TOTP MFA for Administrator accounts, see Enable MFA in the Admin Portal.
You can also secure user access to resources with JumpCloud Protect, Duo MFA, and WebAuthn MFA. See MFA for Admins to learn more. JumpCloud recommends using JumpCloud Protect for your MFA solution.
Require MFA on Users
Requiring Multi-factor Authentication on an Individual User Account
To require MFA on an individual user account:
- Go to User Management > Users.
- Select a user to view their Details. See Getting Started: Users.
- In the User Security Settings and Permissions section, select Require Multi-factor Authentication for User Portal.
- Specify the number of days the user has to enroll in TOTP MFA before they are required to have MFA at log in. You can specify a number of days between 1 and 365. The default value is 7 days. The enrollment period applies only to TOTP MFA and not to other MFA factors.
- Click save user. After you save, users are notified in an email and are prompted to set up TOTP MFA the next time they log in to their User Portal.
- During enrollment, the user's details indicate how much time is remaining on their enrollment period.
- After the enrollment period expires, the user is locked out of the User Portal.
Requiring TOTP MFA on Multiple User Accounts
To require MFA on multiple user accounts:
- Go to User Management > Users.
- Select one or more users.
- Click more actions, then select Require User MFA.
- Specify the number of days the user has to enroll in TOTP MFA before they are required to have a TOTP token at login. You can specify a number of days between 1 and 365. The default value is 7 days.
- Click require to require TOTP MFA for the selected users. After you require TOTP MFA for the selected users, they are notified in an email and will be prompted to set up TOTP MFA the next time they log in to their User Portal.
Extending Time for a User to Enroll in TOTP MFA
You can extend enrollment periods for users by resetting their TOTP MFA.
To extend a user's enrollment period:
- Go to User Management > Users.
- Select a user to view their Details panel.
- Click the user's TOTP MFA status to see the TOTP MFA options menu.
- Select the Reset TOTP MFA option from the menu to display the Reset TOTP modal.
- Specify the time period the user has to enroll, starting from today, and then click reset.
After you reset TOTP MFA for a user, they are prompted to set up TOTP for their account.
Resetting TOTP MFA in Case of Device Loss or Failures
If users lose the device containing their TOTP app, admins can reset TOTP MFA for their account.
To reset TOTP MFA for a user:
- Go to User Management > Users.
- Select a user to view their Details panel.
- Click the user's TOTP MFA status to see the TOTP MFA options menu.
- Select the Reset TOTP MFA option from the menu to display the Reset TOTP modal.
- Specify the time period the user has to enroll, starting from today, and then click reset.
After you reset TOTP MFA for a user, they are prompted to set up TOTP for their account.
See Enable TOTP MFA for Devices for information about enabling TOTP MFA on your JumpCloud managed systems.
View User TOTP MFA Status
The Users list MFA column, which defaults to TOTP, shows you a user's TOTP MFA status. When you hover over the status, you can see TOTP MFA status details for a user. The following TOTP MFA Statuses are possible:
- A user has enrolled sucessfully in TOTP MFA.
- A user has not completed TOTP enrollment.
- A user is in a TOTP MFA enrollment period (dates included).
- A user's TOTP MFA enrollment period has expired (expiration date included).
- A user is in Pre-Enrollment, meaning their enrollment period will begin when their user state changes to active.
You can also view a user's MFA status in their user details.
You can filter the Users list to show MFA status and requirement. See Get Started: Users.
To see users in an enrollment period, filter apply both the required and inactive MFA status filters. Likewise, to see users with an expired enrollment period, also apply both the required and inactive MFA status filters.
Disabling TOTP MFA for the User Portal
Admins can disable TOTP MFA from guarding the User Portal. When TOTP MFA for the User Portal is disabled, other TOTP MFA protected resources like systems, RADIUS, and the Admin Portal aren’t impacted.
Considerations:
- TOTP MFA is enabled by default.
- At least one MFA factor must be enabled at all times. It’s not possible to disable all MFA factors.
- To successfully disable TOTP MFA, make sure Duo MFA is enabled. Note: WebAuthn requires TOTP MFA or Duo MFA to be enabled. So, WebAuthn can’t be the only other factor that’s enabled when you disable TOTP MFA.
To disable TOTP MFA for the User Portal:
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com.
- Go to Security Management > MFA Configurations.
- In the TOTP Configuration section, click Disable.
Re-enabling TOTP MFA for the User Portal
Admins can re-enable TOTP MFA to guard the User Portal. Re-enabling TOTP MFA for the User Portal doesn’t impact other TOTP MFA protected resources like systems, RADIUS, and the Admin Portal.
Considerations:
- When TOTP MFA is re-enabled for the User Portal, admins can’t reopen an enrollment period. This means:
- Users who don’t set up TOTP MFA in their enrollment period are locked out.
- Users in their enrollment period remain in enrollment.
- When TOTP MFA is re-enabled for the User Portal, Admins need to require MFA on their users from the More Actions Menu or from the User Details panel.
- Admins can enable multiple factors for the User Portal.
- Users can choose their MFA method when more than one factor is enabled.
To re-enable TOTP MFA for the User Portal:
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com.
- Go to Security Management > MFA Configurations.
- In the TOTP Configuration section, click Enable.
Next Steps:
- Understand User Workflow with MFA.
- Enable MFA for RADIUS and Devices.
- Enable MFA for the Admin Portal.
TOTP attempts are not unlimited. Allowed number of user attempts is set by the IT Admin; admin attempts are limited to five. If settings are selected, that will count toward password or MFA attempts.